Scribd
Upload
423 views29 pages

Attack Active Directory

The document discusses access control lists (ACLs) in Active Directory (AD). It explains that an object's security descriptor in AD contains its discretionary access control list (DACL) and system access control list (SACL). The DACL specifies which principals have which rights over the object, while the SACL allows for auditing of access attempts. It also provides examples of how generic "All" access control entries (ACEs) could be abused to escalate privileges within an AD environment.

Uploaded by

jose
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
423 views29 pages

Attack Active Directory

The document discusses access control lists (ACLs) in Active Directory (AD). It explains that an object's security descriptor in AD contains its discretionary access control list (DACL) and system access control list (SACL). The DACL specifies which principals have which rights over the object, while the SACL allows for auditing of access attempts. It also provides examples of how generic "All" access control entries (ACEs) could be abused to escalate privileges within an AD environment.

Uploaded by

jose
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
You are on page 1/ 29

Another attacker's view

of ACL in AD

Shlyundin Pavel
Bio
Name: Shlyundin Pavel
Alias: Riocool t.me/riocool
Day job: BSS-Security
Night job(s):
Github: github.com/PShlyundin/ldap_shell
Telegram chanel: t.me/RedTeambro
Certifications:
OSCP, LPT, OSCE, OSWE, CRTE, EcPTXv2
CTF (Standoff) Team: True0xA3
ACL, DACL and SACL

▪ Access Control List (ACL) is basically


shorthand for the DACL/SACL superset
▪ An object’s Discretionary Access Control List
(DACL) and Security Access Control List
(SACL) are ordered collections of Access
Control Entries (ACEs)
□ The DACL specifies what principals/trustees
have what rights over the object
□ The SACL allows for auditing of access
attempts to the object

Имя Фамилия
Security Descriptor

A security descriptor can include the following information


• Object Owner (SID)
• Discretionary Access Control List (DACL)
• System Access Control List (SACL)
• Set of control bits

Имя Фамилия
ACL in ADUC

Имя Фамилия
ACL, DACL and SACL

Имя Фамилия
ACE
All ACEs include:
□ A 32-bit set of flags that control auditing
□ A 32-bit access mask that specifies access rights
allowed
□ A security identifier (SID) that identifies the
principal/trustee that has the given rights

Имя Фамилия
ACE
RIGHT Mask Human view
RIGHT_DS_CREATE_CHILD 0x00000001 CreateChild
RIGHT_DS_DELETE_CHILD 0x00000002 DeleteChild
RIGHT_DS_LIST_CONTENTS 0x00000004 ListChildren
RIGHT_DS_WRITE_PROPERTY_ 0x00000008 Self
EXTENDED
RIGHT_DS_READ_PROPERTY 0x00000010 ReadProperty
RIGHT_DS_WRITE_PROPERTY 0x00000020 WriteProperty
RIGHT_DS_DELETE_TREE 0x00000040 DeleteTree
RIGHT_DS_LIST_OBJECT 0x00000080 ListObject 0x20000 – ReadControl
RIGHT_DS_CONTROL_ACCESS 0x00000100 ExtendedRight 0x100 – ExtendedRight
RIGHT_DELETE 0x00010000 Delete
RIGHT_READ_CONTROL 0x00020000 ReadControl 0x30 – WriteProperty and ReadProperty
RIGHT_WRITE_DAC 0x00040000 WriteDacl 0x4 – ListChildren
RIGHT_WRITE_OWNER 0x00080000 WriteOwner
RIGHT_GENERIC_ALL 0x10000000 GenericAll
RIGHT_GENERIC_EXECUTE 0x20000000 GenericExecute
RIGHT_GENERIC_WRITE 0x40000000 GenericWrite
RIGHT_GENERIC_READ 0x80000000 GenericRead

Имя Фамилия
ACE GUI

Имя Фамилия
ACE

object_type='1131f6ad-9c07-11d1-f79f-00c04fc2dcd2' – DS-Replication-Get-Changes-All
object_type='1131f6aa-9c07-11d1-f79f-00c04fc2dcd2' – DS-Replication-Get-Changes
object_type='89e95b76-444d-4c62-991a-0facbeda640c' - DS-Replication-Get-Changes-In-Filtered-Set

Имя Фамилия
ACE

Имя Фамилия
Properties

• MsDs-KeyCredentialLink (Shadow creds) – https://github.com/ShutdownRepo/pywhisker


• MsDS-AllowedToActOnBehalfOfOtherIdentity – Resource Based Constrained Delegation
• Ms-DS-MachineAccountQuota – Relevant to CVE-2021-42278
• Script-Path – When logging locally to the host, the path to the executable is stored in the scriptPath
attribute
• msTSInitialProgram – When using the terminal server, the path to the executable file is stored in the
attribute msTSInitialProgram
• userAccountControl – Stores the mask responsible for the object properties.

Имя Фамилия
Shadow credentials

Pre-requisites for this attack are as follows

• the target Domain Functional Level must


be Windows Server 2016 or above.
• the target domain must have at least one
Domain Controller running Windows
Server 2016 or above.
• the Domain Controller to use during the
attack must have its own certificate and
keys (this means either the organization
must have AD CS, or a PKI, a CA or
something alike).
• the attacker must have control over an
account able to write the msDs-
KeyCredentialLink attribute of the target
user or computer account.
Имя Фамилия
Shadow credentials

Имя Фамилия
More masks

Имя Фамилия
Set DcSync bloodyAD
bloodyAD - https://github.com/CravateRouge/bloodyAD

Имя Фамилия
Set DcSync ldap_shell
Ldap_shell - https://github.com/PShlyundin/ldap_shell

Имя Фамилия
ACL Abuse GenericAll
Computer:
• Reset password (bad idea)
• RBCD
• Read LAPS
• Read GMSA
• Shadow Credentials
User:
• Reset password
• Set SPN (target kerberoasting)
• Set dontreqpreauth (target as-rep roasting)
• Shadow Credentials
• Script Path
• msTSInitialProgram
Имя Фамилия
ACL Abuse

Имя Фамилия
ACL Abuse ldap_shell
https://github.com/PShlyundin/ldap_shell

Имя Фамилия
ACL Abuse ldap_shell

Имя Фамилия
ACL Abuse ldap_shell
1. Helpdesk1
• Add member

2. Helpdesk2
• Add member

3. User1
• Target Kerberoasting/As-Reproasting
6. User3
• Script Path
• Reset password
• Shadow Credentials
• Target Kerberoasting/As-Reproasting
• UP to GenericAll
• Script Path
4. User2 • Shadow Credentials
• Target Kerberoasting/As-Reproasting
7. Admin
• Script Path
• ResetPassword
• Shadow Credentials
• Target Kerberoasting/As-Reproasting
• Set Owner (Get WriteDACL)
• Script Path
• UP to GenericAll
• Shadow Credentials
5. SRV1
8. REDTEAM.BRO
• RBDC
• Set DcSync
• Shadow Credentials Имя Фамилия
ACL Abuse ldap_shell
1. Helpdesk1
• Add member

2. Helpdesk2
• Add member

3. User1
• Target Kerberoasting/As-Reproasting
6. User3
• Script Path
• Reset password
• Shadow Credentials
• Target Kerberoasting/As-Reproasting
• UP to GenericAll
• Script Path
4. User2 • Shadow Credentials
• Target Kerberoasting/As-Reproasting
7. Admin
• Script Path
• ResetPassword
• Shadow Credentials
• Target Kerberoasting/As-Reproasting
• Set Owner (Get WriteDACL)
• Script Path
• UP to GenericAll -> Reset password
• Shadow Credentials
5. SRV1
8. REDTEAM.BRO
• RBDC
• Set DcSync
• Shadow Credentials Имя Фамилия
DEMO1

Имя Фамилия
ACL Abuse ldap_shell
1. Helpdesk1
• Add member

2. Helpdesk2
• Add member

3. User1
• Target Kerberoasting/As-Reproasting
6. User3
• Script Path
• Reset password
• Shadow Credentials
• Target Kerberoasting/As-Reproasting
• UP to GenericAll
• Script Path
4. User2 • Shadow Credentials
• Target Kerberoasting/As-Reproasting
7. Admin
• Script Path
• ResetPassword
• Shadow Credentials
• Target Kerberoasting/As-Reproasting
• Set Owner (Get WriteDACL)
• Script Path
• UP to GenericAll
• Shadow Credentials
5. SRV1
8. REDTEAM.BRO
• RBDC
• Set DcSync
• Shadow Credentials Имя Фамилия
ACL Abuse ldap_shell
1. Helpdesk1
• Add member

2. Helpdesk2
• Add member

3. User1
• Target Kerberoasting/As-Reproasting
6. User3
• Script Path
• Reset password
• Shadow Credentials
• Target Kerberoasting/As-Reproasting
• UP to GenericAll
• Script Path
4. User2 • Shadow Credentials
• Target Kerberoasting/As-Reproasting
7. Admin
• Script Path
• ResetPassword
• Shadow Credentials
• Target Kerberoasting/As-Reproasting
• Set Owner (Get WriteDACL)
• Script Path
• UP to GenericAll
• Shadow Credentials
5. SRV1
8. REDTEAM.BRO
• RBDC
• Set DcSync
• Shadow Credentials Имя Фамилия
DEMO2

Имя Фамилия
Bonus

Имя Фамилия
Questions?

Имя Фамилия

You might also like

pFad - Phonifier reborn

Pfad - The Proxy pFad of © 2024 Garber Painting. All rights reserved.

Note: This service is not intended for secure transactions such as banking, social media, email, or purchasing. Use at your own risk. We assume no liability whatsoever for broken pages.


Alternative Proxies:

Alternative Proxy

pFad Proxy

pFad v3 Proxy

pFad v4 Proxy